Editorial Board Teleconference Summary - June 21, 2001
------------------------------------------------------
Participants
------------
Participants in the teleconference included:
Bill Fithen (CERT/CC)
Tim Collins (NFR)
Renaud Deraison (Nessus)
Dana Foat (NSA)
Andre Frech (ISS)
Peter Mell (NIST)
Ron Nguyen (Ernst & Young)
Shawn Hernan (CERT/CC)
Scott Lawler (DOD-CERT)
Larry Oliver (IBM)
Pascal Meunier (Purdue CERIAS)
Marcus Ranum (NFR)
Adam Shostack (Zero Knowledge)
Kevin Ziese (Cisco)
Alan Paller (SANS)
Andy Balinsky (Cisco)
Ben Greenbaum (SecurityFocus; proxy for Elias Levy)
MITRE participants included:
Dave Baker
Steve Christey
Margie Zuk
Bob Martin
Andy Bair
Barbara Pease
Content Update
--------------
Currently, there are 1510 entries and 1120 candidates. The content
team continues to process the legacy submissions that were obtained
from databases provided by Editorial Board members. All submissions
have been matched against each other and formed into groups of closely
related submissions. There are roughly 4500 submission groups, from
approximately 8500 total legacy submissions. Since there were 10
databases provided to MITRE, this shows how little overlap there was
between databases, as the average group only included submissions from
2 databases. So far, approximately 500 of these legacy submission
groups have been refined. About 150 legacy candidates will be created
from these groups. The other 350 groups are duplicates of existing
CVE entries or candidates; they will help to extend the references for
those items, however. Some content team members are working on
refining new submissions into candidates.
A description of the submission process is in the "Submission Stage"
section at http://cve.mitre.org/board/archives/2000-08/msg00013.html
CVE Naming Scheme Changes
-------------------------
There are various problems with the current CAN-YYYY-NNNN /
CVE-YYYY-NNNN scheme. It can be difficult to find these items from
most search engines (the hyphens can be problematic). When a
candidate changes to an entry, the CAN prefix of the name is changed
to CVE; this increases maintenance costs for CVE-compatible products,
since they need to change the name from a CAN to CVE. One database
was observed to have some "CAN" numbers for issues that had been
converted to CVE entries about 7 months ago, and it is suspected that
this problem is typical. Also, if a person searches a product using
the CAN-YYYY-NNNN number, but the product has the problem indexed
under CVE-YYYY-NNNN, then the person may not find that issue. The
current naming scheme only allows for a maximum of 10,000 issues per
year, which might not be sufficient in some cases (this is the
"CAN-10K" problem). Some CVE-compatible products drop the CAN/CVE
prefix altogether and just use a "YYYY-NNNN" scheme. Other problems
were discussed and are documented in the next section.
Given these problems, it may be appropriate to change the current
naming scheme. For example, a single identifier could be used for
candidates as well as entries, and the entry/candidate status could be
provided as a separate field.
Any change, however, could have a major impact on all CVE-compatible
product developers, as well as CVE users. Participants in the
teleconference said that the impact of such a change would have
minimal effect on their own products.
Board members agreed that it is important to minimize the number of
changes to the naming scheme, otherwise CVE would lose the major
advantage of providing a common and stable identifier. If a change
should occur, it should only happen once; so, all known problems with
the scheme should be addressed at the same time.
To assist in the transition to a new scheme, MITRE would need to
maintain the old naming scheme alongside the new scheme for a
sufficient period of time, perhaps 6 months or a year. MITRE will
provide a mapping from the old scheme to the new scheme, which will
always be available on the CVE web site.
There could be some problems with old advisories that reference CVE
names. Those advisories would need to be updated where possible, but
there may be older copies that cannot be changed, such as mailing list
archives. The advisory provider already has some a small maintenance
cost for changing a CAN number to a CVE number anyway, so it makes
sense to provide a single identifier. MITRE plans to notify advisory
authors when their CAN's become CVE's on a regular basis, but this
would not be necessary with a unified scheme.
Addressing Misuse and Information Leaks of CAN Numbers
------------------------------------------------------
CAN numbers effectively encode time, which releases potentially
sensitive information such as how soon a vendor knew of the issue.
Users may like this capability in gauging a vendor's response time,
and it may also show how long a researcher has worked with the vendor
on an issue. For example, Rain Forest Puppy reserved CAN-2001-0001
for an issue, but the vendor was slow in fixing the problem. RFP was
eventually forced to publicize the issue, when most candidates being
published were in the "200" range (CAN-2001-02xx). Some Board members
agreed that it could be important to hide this information, possibly
due to previous agreements with vendors. They agreed that while it
might be useful to some people, it was not essential to have the
candidate name effectively reflect the date of assignment.
It is also suspected that information in the CAN/CVE name is already
misused by the public. For example, many probably assume that the
year portion of the number is when the issue was first publicized, not
when the candidate number was assigned to the issue. There may also
be cases in which an entity reserves a block of candidates which are
not assigned to an issue for weeks or months; sometimes an "old"
candidate number may be publicized for a brand new issue, which could
cause confusion on the part of users, or make it appear that the issue
has been known for a long time.
CERT/CC has a numbering scheme that allows them to provide effectively
random numbers that don't give away any temporal information. The
Board will discuss this approach when considering a new scheme.
While the current scheme is still being used, MITRE will provide more
prominent disclaimers that CAN/CVE numbers do not imply when an issue
was first known, when it was publicized, etc. MITRE will add these
disclaimers to individual candidates (especially those that are
reserved) as well as the full downloads for the CVE and candidate
lists.
Discussion of Candidate Numbering Authorities (CNAs)
----------------------------------------------------
A detailed proposal for Candidate Numbering Authorities (CNAs) was
sent to the Editorial Board mailing list on June 14, 2001, with the
subject "[TECH] Candidate Numbering Authorities".
So far, various organizations have reserved a total of 170 candidate
numbers for use in first-time public announcements of vulnerabilities.
Approximately 150 of these have been published.
Some Board members have wanted more rapid response in terms of
assigning candidates to new issues, sometimes within hours after the
issue is first published. MITRE's content team is currently unable to
meet these needs, as some members are also processing the legacy
submissions, and all are still learning how to apply CVE content
decisions appropriately (though much progress has been made in the
last 6 months).
Candidate Numbering Authorities (CNAs) could obtain blocks of
candidate numbers from MITRE and assign them to new issues, without
directly involving MITRE. CERT/CC and SecurityFocus could be other
CNAs, as they are already involved in the disclosure process as third
parties (intermediaries between researchers and vendors). Major IT
vendors with a large product line could also be CNAs for their own
products. For example, Microsoft is already a de facto CNA, as MITRE
provides them with candidate blocks that they assign to issues without
consulting MITRE.
A CNA must be an Editorial Board member, since the CNA must be
familiar with CVE content decisions and the assignment process;
indeed, the CNA may be involved in modifying these. As a side effect,
the screening process for Editorial Board membership could be used to
filter out unqualified CNAs.
It was suggested that distributing candidates across all parties could
be difficult to coordinate, especially when multiple vendors are
involved. However, Board members did not think that it would be a
significant problem, as the process for coordinating such information
is already largely in place.
It had been proposed that each CNA could have its own "policy" that
reflects how quickly it responds to a researcher's request for a
candidate number, how closely it works with vendors, what guidelines
the researcher must follow in terms of disclosing the problem, etc.
The intention was to allow multiple CNAs who used different disclosure
policies, different response times, etc. For example, MITRE's own
"disclosure policy" for researchers might be more restrictive than
that of SecurityFocus.
Some Board members suggested that CNAs should all follow a common
minimal policy for "responsible disclosure," such as working with the
vendor to fix the problems, or giving unresponsive vendors sufficient
time before releasing. If researchers do not follow that policy, then
the CNA would not provide them with candidate numbers. Participants
agreed that this was a good approach.
There was some discussion regarding the impact of current disclosure
practices on CNAs. For example, some researchers may want anonymity
to shield them from threatened lawsuits. If the researcher wanted to
remain anonymous, but abused the CVE process, then the proposed
approach would require the CNA to notify MITRE of this abuse; this
might not be feasible. At the least, the CNA should avoid providing
candidates to such researchers in the future. Some Board members said
that a CNA should publicize the conditions under which they would
protect the anonymity of disclosers.
Some Board members were concerned with how the CNA should protect the
vulnerability information before public disclosure. It was proposed
that MITRE could set the technical policy that is specific to CVE, and
the CNA could define its own operational policies and procedures.
MITRE will still be available as a CNA to give out candidates to
requesters. Anybody who asks for one, gets one, provided they make it
public. To date, all requesters worked with vendors. MITRE's
response time can be as fast as 2 to 3 hours, but MITRE can't formally
commit to less than 2 business days. Others may advertise a
better/faster response time. MITRE would ask the researcher who they
contacted at the vendor.
There was a brief discussion of the concept of "vendor liaisons" for
CVE. The idea is to allow any vendor to participate in CVE by acting
as a liaison - consulting with MITRE or other Board members on
existing CVE candidates or entries, or by using candidates in its own
security advisories. Such vendor liaisons would not need to have the
skills and resources to be full-fledged CNAs or Board members. It
might be useful to publicize such liaisons on the CVE web site so that
researchers and other CNAs would know that they could work with the
liaisons on obtaining candidates. MITRE will continue to clarify this
role.
Board Membership Issues
-----------------------
Formalized roles, tasks, and expectations were proposed to the
Editorial Board mailing list on June 7. See:
http://cve.mitre.org/board/archives/2001-06/msg00002.htmlhttp://cve.mitre.org/board/archives/2001-06/msg00003.html
The overall participation by Board members was higher than originally
thought; defining the roles, tasks, and expectations has helped to
clarify how Board members participate in the CVE Initiative. However,
it is also clear that voting and other activities need more
participation than the current levels. While the Board currently
consists of 40 member, it might not be enough to accomplish all the
work that is needed.
Since then, Steve Christey consulted with approximately 10 Editorial
Board members regarding their role in the CVE Initiative. These
one-on-one discussions proved useful in clarifying the roles and tasks
for these members. While there are too many Board members to maintain
this contact on a regular basis, Steve and other MITRE personnel will
work to maintain contact. More frequent teleconferences might also
help in communicating with Board members.
It is expected that some members will move to Emeritus status, if they
have made significant contributions to the Board. MITRE is still
clarifying this role. For example, if a member occasionally makes
contributions to the CVE Initiative and then leaves, they might not
necessarily achieve the Emeritus status as currently defined by MITRE.
However, such members should be recognized in some fashion.
Some members may be asked to leave the Board. Steve Christey has
consulted with those members. Each member has expressed a desire to
stay on the Board. Each member agreed to a 2 month evaluation period
during which it is expected that they will raise their level of
participation.
Adding New Members
------------------
The Board discussed a basic approach for adding new members.
In the March 2001 meeting, some Board members suggested that MITRE
could ask Board members for feedback on prospective members. When
MITRE recommends a potential member, the Board could be given a time
limit (at least 2 weeks) to object or provide other feedback. A
different approach would involve having Board members cast a formal
vote. Participants anticipated several problems with a formal vote,
such as handling conflicting "accept" and "reject" votes.
Some members discussed the possibility of having a trial membership
period for new members, possibly 2 or 3 months. This approach would
allow the new member, and MITRE, to be certain that the new member can
accomplish his or her tasks. In the March 2001 meeting, some members
had expressed concerns with trial membership. There was mixed
reaction during the teleconference. In general, it was agreed that
trial membership would not be necessary; MITRE could closely monitor
new members and remove them from the Board if they could not
participate effectively.
Given the feedback by the Editorial Board, the basic process for
adding new members will probably involve the following steps:
1) MITRE will conduct the initial screening of the prospective member
(similar to MITRE's current screening process).
2) MITRE suggests the prospective member to the Editorial Board on a
private mailing list.
3) Board members may provide feedback as they see fit.
4) After at least a 2 week period, MITRE decides whether to add the
member, based on feedback from the Board and its own evaluation.
Currently, MITRE is delaying the review of approximately 10
prospective members until the new process is established.
Miscellaneous
-------------
The following topics were also discussed during the teleconference.
MITRE's lawyers sent a response to the vendor who threatened to sue
MITRE for publishing a candidate for their product. The response is
available to Board members upon request. Other Board members had been
threatened by the same vendor, but they did not respond legally,
because the vendor didn't use formal legal channels.
The next face-to-face meeting may take place in mid-September,
possibly the week of September 17. A hosting organization has not
been found yet. A side meeting could be held at the RAID Conference,
and an informal meeting could take place at Black Hat. The next
teleconference will take place in late July or early August.